COLUMBIA, S.C. – What takes a couple hours to download onbroadband, more like a couple days if you're using dialup? It's thenew Windows XP Service Pack 2, perhaps the “mother of all patches”and Microsoft's latest and perhaps biggest bid to help plug thesecurity breaches plaguing its mega-brand of operating systems andInternet browsers. SP2, as it's becoming known, can be up to 300 orso megabytes to download, less if your patches are up to date.Microsoft does plan to make it available on CD, as well as dole outthe updates piece by piece through its automatic system alreadyfamiliar to many home PC users and presumably all networkadministrators. The improvements center on helping to block theInternet attacks so often targeted at the biggest target of all.For instance, the existing Internet Connection Firewall feature hasbeen re-named Windows Firewall, activates by default and loads aspart of startup before other applications or services. “This fixesthe small delay that prior versions of Windows XP exhibited inwhich the computer booted and the firewall initialized. The Blasterworm, for instance, used this small delay to infect computers thatwere running Internet Connection Firewall,” says Forrest Rae, asecurity analyst with Digital Defense, an Internet securityservices firm based in San Antonio whose client list is heavy withcredit unions. Other improvements include making the automaticupdate utility more user-friendly, such as adding an “express” or“custom” option, the former installing only critical updatesautomatically. Automatic updates have attracted far more attentionthan before, after the exploits of the Slammer and SoBig.F worms,and Microsoft is hoping to get more users to take that route. Raethinks perhaps the most significant upgrade is the non-executablememory pages, or NX, aimed at easing the problems with bufferoverruns, in which “poorly coded software receives input from anexternal source and copies it in to the computer's internalmemory,” Rae says. “Buffer overruns are extremely common attacksand this protection can dramatically improve Windows XP'sresistance to them.” Ken Kinloch, meanwhile, points to the changes“designed to protect users from accidentally downloading orexecuting dangerous files due to misleading MIME or file nameextensions.” The network and security analyst at Boeing EmployeesCredit Union in Seattle also makes note of “the new InternetExplorer Windows Restrictions which seek to ensure that the titlebar, status bar, address bar or the window itself is not hiddenfrom the user.” (Successful phishing attacks often occur when usersdon't realize that a Web site is bogus.) Kinloch says the $4.8billion CU has only about 25 machines running on XP right now, allby IT staffers. The rest of BECU's desktops will get the operatingsystem in the fall and it will include the upgrades in the servicepack, he says. “Due to the significant changes to corefunctionality, SP2 will require extensive testing,” he adds,comparing it to complete version migrations such as moving fromWindows 98 to Windows 2000. Forrester Research, in fact, also makesthat comparison and had this to say about the new XP upgrade: “Forconsumers, enabling Automatic Updates will schedule the automaticdownload, or customers can call Microsoft to get a CD. But forenterprises, mass deployment of SP2 isn't a practical reality, andfirms should treat SP2 as an operating system upgrade and not justa service pack update. During the rollout, firms need to use thesame procedures and tools as a full-scale OS upgrade.” Speaking ofnew versions of Windows, that's next. The service pack is intendedto keep XP users safe and satisfied as possible until the nextcomplete version, called Longhorn, is released. It's expected to goout for beta testing sometime next year. “Essentially what ishappening here is that some of the simpler security improvementswithin the Longhorn release are being put in SP2 in order to getthem out quickly,” says Josh Daymont, director of Internet securityresearch at Atlanta-based SecureWorks. “Microsoft should beapplauded for putting these improvements out,” Daymont says.“However, there is a lot of concern around compatibility withexisting applications. “These improvements essentially create astricter execution environment for every running application, whichwill foil a hacker's attempts to exploit flaws, but at the sametime these restrictions can kill programs that attempt to takeshortcuts for performance reasons, causing previously good programsto fault and shut down,” he says. He says SecureWorks is advisingits clients, many of them large credit unions, “to take some timein order to test it for compatibility with all in-houseapplications before deploying.” That's also the advice from ChrisKroll, an analyst with credit union Internet banking and securityspecialist PM Systems Corp./CUDefense in Chapin, S.C. “We typicallyadvise clients to apply patches ASAP, and credit unions should havea patch management program that includes requiring testing of allpatches before deployment,” he says. “And in a major release likethis, testing should be done on at least critical systems,” Krollsays. He says he hasn't had a chance to “really look in depth atthe new service pack, but best practices and common sense leads meto believe it will better the overall product in functionality andsecurity.” Core processors often are the first place credit unionsturn for advice on technical matters, and one leading vendor there,too, says it's not yet offering advice on SP2. David Turner, CIO ofIntegraSys, says his staff will be testing SP2 internally to makesure it works with the Fiserv unit's applications. “The servicepack obviously tackles some pressing issues, and its descriptionsounds like Microsoft has addressed them well,” he says. “Ourtesting will also show how intrusive pop-up blockers and its othernew features that will require more interaction with users will be.We also want to see how the new firewall and other securityfeatures interact with existing firewalls.” Of course, at manycredit unions, it's not even an issue. For instance, “we decidedlast year that because of all the issues that were in XP, not tomention compatibility with our host system software, we would staywith Windows 2000,” says Kelley Ferguson, director of network andsecurity services at $500 million Numerica Credit Union in Spokane,Wash. “We know it works and we know we can manage it,” he says.“That was the deciding factor for us.” -

[email protected]